Cisco ASA5505 logging

This is probably a very basic question...

I have a new Cisco ASA5505 and I'm seeing newspapers at the level of the console. Currently when I make a record sh I just get the below. I expect, or I saw on messages system other PIX / ASA.

Any ideas on what command I need to run in order to allow these messages?

mipsasa01 # sh logging

Syslog logging: enabled

Installation: 20

Logging timestamp: disabled

Logging shall: disabled

Refuse the Conn which full queue: disabled

Recording console: disabled

Monitor logging: disabled

Logging buffer: disabled

Logging trap: disabled

A history record: disabled

Device ID: disabled

Logging of mail: disabled

Logging ASDM: informational level, 7108 messages saved

The "journal to see the" displays what is called the journal of the buffer. The registration of your buffer is disabled. Use cmd "logging buffered stored" config to activate it. You can adjust the size of the buffer with "logging buffer-size '. I think that buffer memory space is allocated in memory, so don't go overboard.

http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/L2.html#wp1729451

Tags: Cisco Security

Similar Questions

Cisco ASA5505 with double tis + IPSEC

Hello guys,.

I have problem with double ISP + IPSEC on my cisco ASA5505 dry more license.

Routing works OK (to connect to the Internet from siteA is work trought

1 also second ISP) but IPSEC works trought just the first

INTERNET SERVICE PROVIDER! There seemt that phase 1 and 2 of the Protocol IPSEC is correct but the packages

Encrypt just but no not decryption. You have an idea what is the problem?

I try to ping from the (PC - 10.4.1.66) siteA siteB (PC - 10.3.128.50)

Thank you

config site A:

##########################################################################

ASA5505 Version 8.2 (1)

interface Vlan1

nameif inside

security-level 100

IP 10.4.1.65 255.255.255.248

!

interface Vlan2

nameif outside

security-level 0

IP 192.168.1.2 255.255.255.0

!

interface Vlan3

internet nameif

security-level 0

IP address 212.89.235.yy 255.255.255.248

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

outside_cryptomap list extended access allow icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.3.0.0 255.255.0.0

10.4.1.64 IP Access-list extended sheep 255.255.255.248 allow 10.16.0.0 255.255.0.0

access inside extended ip permit list an entire

extended permitted inside a whole icmp access list

pager lines 24

Enable logging

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

Internet MTU 1500

no failover

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm - 621.bin

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

Global interface (internet) 1

NAT (inside) 0 access-list sheep

NAT (inside) 1 10.4.1.64 255.255.255.248

Access-group internet_in in interface outside

internet_in group to access the Web interface

Route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 track 1

Internet route 0.0.0.0 0.0.0.0 212.89.235.yy 254

Server enable SNMP traps snmp authentication linkup, linkdown cold start

monitor SLA 123

interface type echo protocol ipIcmpEcho 212.89.229.xx outdoor

NUM-package of 3

frequency 10

Annex ALS life monitor 123 to always start-time now

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

3600 seconds, duration of life crypto ipsec security association

Crypto ipsec kilobytes of life - safety 4608000 association

card crypto outside_map0 1 match address outside_cryptomap

card crypto outside_map0 1 set 212.89.229.xx counterpart

outside_map0 card crypto 1jeu transform-set ESP-AES-256-SHA

outside_map0 map 1 lifetime of security association set seconds 28800 crypto

card crypto outside_map0 1 set security-association life kilobytes 4608000

card crypto game 2 outside_map0 address outside_cryptomap_1

outside_map0 interface card crypto outside

outside_map0 card crypto internet interface

ISAKMP crypto identity hostname

crypto ISAKMP allow outside

crypto ISAKMP enable internet

crypto ISAKMP policy 3

preshared authentication

aes-256 encryption

sha hash

Group 2

life 300

!

track 1 rtr 123 accessibility

Telnet 10.4.1.64 255.255.255.248 inside

Telnet timeout 1440

SSH 10.4.1.64 255.255.255.248 inside

SSH 212.89.229.xx 255.255.255.255 outside

SSH timeout 60

SSH version 2

Console timeout 0

management-access inside

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

NTP server 194.160.23.2 source outdoors

WebVPN

attributes of Group Policy DfltGrpPolicy

Protocol-tunnel-VPN IPSec l2tp ipsec

username xx

tunnel-group 212.89.229.xx type ipsec-l2l

212.89.229.XX group of tunnel ipsec-attributes

pre-shared-key *.

siteA # sh crypto isakmp his d

ITS enabled: 1

Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

Total SA IKE: 1

1 peer IKE: 212.89.229.xx

Type: L2L role: initiator

Generate a new key: no State: MM_ACTIVE

Encryption: aes - 256 Hash: SHA

AUTH: preshared to life: 300

Remaining life: 91

# sh crypto ipsec siteA his

Interface: internet

Tag crypto map: outside_map0, seq num: 1, local addr: 212.89.235.yy

outside_cryptomap list of access allowed icmp 10.4.1.64 255.255.255.248 10.3.128.0 255.255.255.0

local ident (addr, mask, prot, port): (10.4.1.64/255.255.255.248/1/0)

Remote ident (addr, mask, prot, port): (10.3.128.0/255.255.255.0/1/0)

current_peer: 212.89.229.xx

program #pkts: 7, #pkts encrypt: 7, #pkts digest: 7

#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 7, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 212.89.235.115, remote Start crypto. : 212.89.229.2

Path mtu 1500, fresh ipsec generals 74, media, mtu 1500

current outbound SPI: 2A9B550B

SAS of the esp on arrival:

SPI: 0xCF456F65 (3477434213)

transform: aes-256-esp esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 32768, crypto-card: outside_map0

calendar of his: service life remaining (KB/s) key: (4374000/28629)

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

outgoing esp sas:

SPI: 0x2A9B550B (714822923)

transform: aes-256-esp esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 32768, crypto-card: outside_map0

calendar of his: service life remaining (KB/s) key: (4373999/28629)

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0x00000000 0x00000001

# sh logging asdm siteA | I have 10.3.128.50

6. 19 sep 2011 10:27:37 | 302020: built outgoing ICMP connection for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0

6. 19 sep 2011 10:27:39 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.4.1.66/1024 10.4.1.66/1024 10.3.128.50/0

config site B:

##########################################################################

ASA 5510 Version 8.0 (4)

interface Ethernet0/0

nameif outside

security-level 0

IP address 212.89.229.xx 255.255.255.240

OSPF cost 10

interface Ethernet0/1.10

VLAN 10

nameif users

security-level 50

IP 10.3.128.0 255.255.255.0

10.3.128.0 IP Access-list extended siteA 255.255.255.0 allow 10.4.1.64 255.255.255.248

Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac

Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac

3600 seconds, duration of life crypto ipsec security association

Crypto ipsec kilobytes of life - safety 4608000 association

outside_map crypto card 9 matches the address SiteA

card crypto outside_map 9 peers set 212.89.229.xx

card crypto outside_map 9 game of transformation-ESP-AES-256-SHA

life card crypto outside_map 9 set security-association seconds 28800

card crypto outside_map 9 set security-association life kilobytes 4608000

outside_map crypto 10 card matches the address SiteA

card crypto outside_map 10 peers set 212.89.235.yy

outside_map crypto 10 card value transform-set ESP-AES-256-SHA

life safety association set card crypto outside_map 10 28800 seconds

card crypto outside_map 10 set security-association life kilobytes 4608000

crypto ISAKMP policy 20

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

tunnel-group 212.89.229.xx type ipsec-l2l

212.89.229.XX group of tunnel ipsec-attributes

pre-shared-key *.

tunnel-group 212.89.235.yy type ipsec-l2l

212.89.235.yy group of tunnel ipsec-attributes

pre-shared-key *.

SiteB # sh crypto isakmp his d

HIS active: 7

Generate a new key SA: 1 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

Total SA IKE: 8

8 peer IKE: 212.89.235.115

Type: L2L role: initiator

Generate a new key: no State: MM_ACTIVE

Encryption: aes - 256 Hash: SHA

AUTH: preshared to life: 300

Remaining life: 245

# Sh crypto ipsec SiteB his | b 212.89.235.yy

current_peer: 212.89.235.yy

#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

decaps #pkts: 12, #pkts decrypt: 12, #pkts check: 12

compressed #pkts: 0, unzipped #pkts: 0

#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0

success #frag before: 0, failures before #frag: 0, #fragments created: 0

Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

#send errors: 0, #recv errors: 0

local crypto endpt. : 212.89.229.xx, remote Start crypto. : 212.89.235.yy

Path mtu 1500, fresh ipsec generals 74, media, mtu 1500

current outbound SPI: CF456F65

SAS of the esp on arrival:

SPI: 0x2A9B550B (714822923)

transform: aes-256-esp esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 4378624, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (3914999/27310)

Size IV: 16 bytes

support for replay detection: Y

Anti-replay bitmap:

0 x 00000000 0x00001FFF

outgoing esp sas:

SPI: 0xCF456F65 (3477434213)

transform: aes-256-esp esp-sha-hmac no compression

running parameters = {L2L, Tunnel}

slot: 0, id_conn: 4378624, crypto-card: outside_map

calendar of his: service life remaining (KB/s) key: (3915000/27308)

Size IV: 16 bytes

support for replay detection: Y

# sh logging asdm siteB. I have 10.4.1.66

6. 19 sep 2011 10:29:49 | 302021: connection of disassembly ICMP for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024

6. 19 sep 2011 10:29:50 | 302020: built ICMP incoming connections for faddr gaddr laddr 10.3.128.50/0 10.3.128.50/0 10.4.1.66/1024

I'm glad that this answer to your question, feel free to mark the post as answered and the rate of useful messages

Good day.

Cisco ASA5505 Gigabit?

Hi all

Checked the POST on an ASA5505 (9.1 (3)) one it shows 2 Gigabit NIC:

Total network cards found: 10

88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002

88E6095 rev 2 Ethernet @ index 08 MAC: 885a.92d9.f938

88E6095 rev 2 Ethernet @ index 07 MAC: 885a.92d9.f937

88E6095 rev 2 Ethernet @ index 06 MAC: 885a.92d9.f936

88E6095 rev 2 Ethernet @ index 05 MAC: 885a.92d9.f935

88E6095 rev 2 Ethernet @ index 04 MAC: 885a.92d9.f934

88E6095 rev 2 Ethernet @ index 03 MAC: 885a.92d9.f933

88E6095 rev 2 Ethernet @ index 02 MAC: 885a.92d9.f932

88E6095 rev 2 Ethernet @ index 01 MAC: 885a.92d9.f931

y88acs06 Gigabit Ethernet rev16 @ index MAC 00: 885a.92d9.f939

Is there a Gigabit licenses on the roadmap?

Kind regards

Norbert

Hello

I doubt that it has nothing to do with subsequent changes, as the device is specced for only 150Mbps throughput.

I saw Cisco release any model replacement, even if I asked a few times.

I think that 2 GigabitEthernet interfaces refer to the internal-Data0 and Data1 internal interfaces

It is the output of my own ASA

The internal-Data0/0 interface ' ' is in place, line protocol is up

The material is y88acs06, BW 1000 Mbit/s, 10 DLY usec

(Full-duplex), (1000 Mbps)

Internal-Data0/1 interface ' ' is in place, line protocol is up

The material is 88E6095, BW 1000 Mbit/s, 10 DLY usec

(Full-duplex), (1000 Mbps)

Also, here is a picture of a Cisco Live! presentation on the architecture of the ASA5505 model (click to enlarge)

Hope this helps

-Jouni

Configuration VPN Cisco ASA5505 new 800

I have 2 office buildings using routers Cisco 800 series with a L2L VPN between the two. I'm upgrading from the router to an ASA5505 at one of the offices but cannot understand the L2L VPN on the SAA. Specifically, may not know how to set the pre-shared key. On the Cisco 800 there:

ISAKMP crypto key address

This doesn't seem to work on the SAA. Can anyone help this? Here is my current config on the Cisco 800...

crypto ISAKMP policy 10

BA 3des

md5 hash

preshared authentication

Group 2

ISAKMP crypto key

address

!

!

Crypto ipsec transform-set esp-3des esp-md5-hmac DUMAC3

Crypto ipsec df - bit clear

!

MYmap 10 ipsec-isakmp crypto map

defined by peer 75.148.153.217

Set security-association second life 36000

game of transformation-DUMAC3

match address 101

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255

in your crypto-maps, the '10' and '65535' are the sequence numbers. A CM handset might look like this:

address for correspondence primaryisp_map 10 101 crypto card

peer set card crypto primaryisp_map 10 99.119.80.165

primaryisp_map 10 set transform-set DUMAC3 ikev1 crypto card

primaryisp_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

card crypto primaryisp_map interface primaryisp

Cisco ASA5505. Not available through the firewall identity web services

Hello, everyone!

Then put the puzzle patterns to ensure that users are connected using AD and went to the internet.

Given Cisco ASA 5505. On the domain controller expected agent AD (which says dc - up and customer - facing upwards), ASA quietly takes user connections.

IP addresses on the network are distributed by DHCP, which is triggered on a domain controller.

The essence of the problem is that, after the authentication of the user online falls after awhile. That is the user logged on to the computer, and then open the browser, open a few sites, then went 5-7 minutes of inactivity, and Internet is not available. Internet appears when the reconnection of the user at a certain time or the computer disable "LAN network connection" for 1 minute. You don't have to dig?

This configuration on the SAA as follows:

object-group user ACTIVE_ALLOW user-group DCU\\CASA61_Allow user DCU\User1 user DCU\User2access-list inside_access_in_1 extended permit ip object-group-user ACTIVE_ALLOW 192.168.1.0 255.255.255.0 any log debuggingaaa-server ADA protocol radius ad-agent-mode interim-accounting-update reactivation-mode depletion deadtime 1 merge-dacl after-avpair aaa-server ADA (inside) host dc61-01 key ***** radius-common-pw ***** no mschapv2-capable aaa-server AD protocol ldap reactivation-mode depletion deadtime 1 aaa-server AD (inside) host dc61-01 ldap-base-dn dc=DCU,dc=local ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=CISCOASA61,OU=Users_MC,dc=DCU,dc=local server-type microsoft user-identity domain DCU aaa-server AD user-identity domain DC61-01 aaa-server AD user-identity default-domain DCU user-identity action domain-controller-down DCU disable-user-identity-rule no user-identity action mac-address-mismatch remove-user-ip no user-identity inactive-user-timer user-identity logout-probe netbios local-system probe-time minutes 60 retry-interval seconds 5 retry-count 5 match-any user-identity poll-import-user-group-timer hours 12 user-identity ad-agent active-user-database full-download user-identity ad-agent aaa-server ADA user-identity user-not-found enable

At this point, while writing this message here (20 min), 1 hour from the Internet threw.

Hello;

Remove the NetBios sensors and see if the problem goes away.

Mike.

CISCO ASA5505 ver8.2 PAT lifesize videoconferencing port

I just had a lifesize videoconferencing, my gateway is a Cisco ASA 5505 running version 8.2.1 and I only have a public/static IP Addresses.so how to install
TCP/udp ports before the range 60000 to 64999?

Double post.

Go HERE.

refine for cisco device logging

Dear Netpro community,

I'm trying to tweak the AAA portion on the cisco device

Here is my current setup:

AAA new-model

AAA authentication login default local radius group

AAA authentication enable default group enable RADIUS

If the radius server is offline, the first level is not a problem. However, the problem occurs if I want to go to activate the mode. It will not use the enable password set locally, but instead he will go to and search radius for authentication server.

Debug:

test_switch > en

Password:

01:05:15: RADIUS: authentication using the $enab15$

01:05:15: RADIUS: ustruct sharecount = 1

01:05:15: RADIUS: pass on tty0 id 44 x.x.x.x:1812 initial, request for access,

Len 72

01:05:15: 4-6 AC10E10F attribute

01:05:15: 5 6 00000000 attribute

01:05:15: 61 6 00000000 attribute

01:05:15: assign 1 to 10 24656E61

01:05:15: assign 2 18 69ABFDF8

01:05:15: 00000006 6 6 attribute

01:05:20: RADIUS: retransmission id 44

01:05:25: RADIUS: retransmission id 44

01:05:30: RADIUS: retransmission id 44

Password:

01:05:35: RADIUS: marking x.x.x.x:1812, 1813-dead server

01:05:35: RADIUS: tried all servers.

01:05:35: RADIUS: no valid server found. Try any viable Server

01:05:35: RADIUS: tried all servers.

01:05:35: RADIUS: no response for id 44

01:05:35: RADIUS: no response from Server

Password %: timeout expired.

% Authentication failure.

How can I make sure that I can access the switch privilege mode if there is no path to the radius server?

It took 20 seconds of the original program:

01:05:15: RADIUS: pass on tty0 id 44 x.x.x.x:1812 initial, request for access,

Len 72

... with three broadcasts, until the server has been marked dead:

01:05:35: RADIUS: marking x.x.x.x:1812, 1813-dead server

Maybe you should mark a server RADIUS MIA as death more quickly, by setting a timeout of the RADIUS server (for example: 1 sec.).

for example:

RADIUS-server host aaa.bbb.ccc.ddd auth-port 1812 acct-port 1813 timeout 1 key xxxxxxxxxx

If the server is recognized as dead earlier (4S, broadcasts incl. 3) maybe it's possible to use the locally configured enable password before the "time-out of password occurs".

I do not say for sure that this will solve your problem, but I know I want to try it to find out.

Tunnel VPN between two Cisco ASA5505 drops every 15-30 minutes

authentication attempts but never reconnects. I have to restart the app

dence to back tunnel.

In syslogs, found the following:

2010-07-07 13:28:34 Local4.Notice 10.0.0.254: Jul 07 10:22:22 UTC: % ASA-vpn-5-713259: Group = 74.126.85.149, IP = 74.126.85.149, Session is be demolished. Reason: Service lost
2010-07-07 13:28:34 Local4.Warning 10.0.0.254: Jul 07 10:22:22 UTC: % ASA-auth-4-113019: Group = 74.126.85.149 username = 74.126.85.149, IP = 74.126.85.149, disconnected Session. Session type: IPsec, duration: 0 h: 36 m: 03 s, xmt bytes: 584567664, RRs bytes: 156692759, reason: Service lost

David,

Indeed, this might be the reason.

Any chance you can apply some kind of formatting? (Comes from bad to worse ASA can do very decently, but only in the outbound direction AFAIR)

Marcin

Log InSight can work with Cisco Catalyst and Nexus devices?

Hi guys,.
someone at - it use Log Insight for catalyst devices and Nexus?

Yes, the Insight journal will work with all the unstructured data sent via the syslog Protocol. Support for devices Cisco remote log to a syslog destination shipping as newspaper Insight.

Cisco ASA 5505 VPN passthrough

Hello

@home i'f installed a Cisco asa 5505 because the provider has the modem cable in transparent mode. So I have the public IP address to my firewall.

Also for the training because we have in the work of the asa. So I have no feeling with her.

but sometimes I have to build a VPN session to a server at work. But I do not get a connection to the server. If I remove the ASA 5505, then the connection to the server of work is great. But if to ASA 5505 is back in its place. It does not log VPN to the outside world.

Could someone point me in the right direction?

It is possible to create a connection out to the Cisco ASA5505 VPN.

Thanks in advance

Greetings

Palermo

Hi Palermo,

You do not have to mention the type of VPN connection, you use.

If the PPTP protocol then you need to inspect the traffic for the SAA allow again from 'outside '. Try the following:
```
 ! class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default inspect pptp ! service-policy global_policy global !
```
see you soon,

SEB.

ASA5505 - VPN does not

Hello everyone,

I have problems to make IPsec VPN remote access work.

The goal is to be able to connect to our internal network from home or elsewhere.

When I try to connect to my home virtual private network, I will no further than Phase 1.

My architecture is a Cisco ASA5505 behind a router-modem router from ISP. The IP address of the modem is 192.168.1.1 for outside.

The IP address of the ASA is 192.168.1.254 for outdoor and 10.0.0.1 for indoors. I put the ASA in a demilitarized zone of the ISP modem to be able to reach it through the Internet (I wanted to use the ISP modem-router-bridge just as a simple gateway and handle other things with the ASA).

So my problem is that I can't seem to connect to the VPN through the public IP address.

Here is my config:

: Saved

ASA Version 8.2(5)

hostname Cisco-ASA-5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.254 255.255.255.0

ftp mode passive

clock timezone GMT 1

access-list NONAT extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool 10.0.1.1-10.0.1.50

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

route inside 192.168.2.0 255.255.255.0 10.0.0.42 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN-MAP 10 set transform-set RA-TS

crypto map VPN-MAP 30 ipsec-isakmp dynamic DYN-MAP

crypto map VPN-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 3600

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 10.0.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.10-10.0.0.40 inside

dhcpd dns 81.253.149.9 80.10.246.1 interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 10.0.0.42 /srv/tftp/cisco-rtr-01-config

webvpn

username admin password 4RdDnLO1w2ilihWc encrypted

username test password zGOnThs6HPdiZhqs encrypted

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool VPNpool

tunnel-group testvpn ipsec-attributes

pre-shared-key *****

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c3d233f44e742110aa0ce1f81173d47c

: end

My config to the client is attached.

When I look at what happened during the connectin with Wireshark, I see 'Port Unreachable '. I have to do something on my ISP router? Because I read that it is not necessary to use NAT if the device is in the demilitarized zone.

Can you help me please?

Because you have the address on your external interface, you will need to tell your router to forward traffic to ASA. So you can do NAT or port forward to ASA.

I guess you don't have a single address public IP assigned by your ISP.

Kind regards

Jan

How to change the ASA and ASDM on ASA5505 questioned once

Can anyone suggest the way to upgrade the software on the Cisco ASA5505 simultaneously both ASA and ASDM without trouble, like I just did?

Here is what happened. I copied the files asa821 - k8.bin and asdm - 621.bin for flash memory, then renamed the old versions like Oasa724 - k8.bin and Oasdm - 524.bin and then issued the command reload from the GUI of Windows.

Big mistake, I lost connectivity ASDM entirely and has been obliged to buy a USB to serial port adapter and plug the cable from port of CLI command so she can return to the unit. I found that he was running the kernel asa821 - k8.bin, as expected, but apparently the ASDM was still under the version 5.24.

Should I have created a new folder and moved the older versions of this file, then issued the command reload system and hope for the best?

I feel that I've defiled things upwards, I guess I have to use tftp to reload the boot image to get the ASA5505 back up again (using the ROMMON commands)

In fact, the only way that I was able to recover the GUI of Windows used start to asa724 image - k8.bin older command.

What is the right way to upgrade to new versions asa 8.2 (1) and asdm 6.2 (1)?

Really, I don't want to risk losing my ability to speak with this box and I spent an anxious afternoon yesterday, when I got to the pop-up message box "can not display the asdm manager."

======

After working with the CLI port, I noticed the following error:

Set of images of Manager devices, but unable to find disk0: / asdm - 524.bin
Out of config line 75, "asdm image disk0: / asdm-5...» »

So apparently some configuration file must point to the correct asdm and just blindly change the files in the folder will NOT work.

========

After working more with the port of the CLI and the GUI of Windows port, I found that the 'asdm image' command did NOT work in the CLI software, but was apparently working in the GUI software, so I ran this command to tell the system to use the recent 6.21 on start.

After that and issuing the command reload of the CLI, I was able to set up successfully with the latest software of asa and asdm.

I would like to have access to CLI is valuable in this case.

I DON'T know why the command 'asdm image' appears inaccessible on the CLI port.

Any ideas?

As far as I'm concerned this problem has been resolved (using educated error)

The boot of the ASA when he tries to use the command 'system startup' file in the config. If it is not very well this file (it was not there because you renamed it), it starts the first image he will find...

However for ASDM ASA uses just the image you have. You were pointing to asdm5.2 and renamed, there was no valied ASDM image to use.

In other words you must have just changed the 'asdm image"and"system start"commands in the config and point to new files, save the configuration and restart and then it would have worked fine.

I hope it helps.

PK

Kit - Cisco WLC 2125 of mounting

It is said in the product for the wlc 2125, there is a mounting kit rack "for flexible deployment.

Can someone tell me please in the right direction on the part number?

Maybe it's the same for the ASA5505 kit, as the boxes appears to be somewhat identical... ?

-OCEAN

Hi Ocean,

Yes, it's a good piece I guessing the ASA 5505 and WLC 2100 must use the same chassis.

http://www.Cisco.com/en/us/docs/security/ASA/HW/maintenance/guide/procs.html#wp104420

Or this one kindly provided by Scott;

http://www.cablesandkits.com/Cisco-ASA5505-rack-mount-kit-p-1415.html

I hope this helps!
Rob

ASA5505 with 10 users. Need to connect 25 remote users with AnyConnect Client

Hello to everyone.

I ASA5505 with license 10 users. I need to connect 25 remote users via SSL VPN (in my case cisco Anyconnect client). So I have to buy the license more security (ASA5505-SEC-PL =) for more then 10 simultaneous VPN connections on Cisco ASA 5505. Fix?

And the main question. What I need to order the user getting up-to-date (for example ASA5505-SW-10-50 =, or ASA5505-SW-10-UL =) license for my device Cisco ASA5505 in order to have 25 connections of concurrent remote users without restriction for each remote user?

You need the license SecPlus for increased remote access users. But you don't need an extra user license if you still only up to 10 internal systems.

ASA5505 SSL AnyConnect VPN and NAT Reverse Path failure

I worked on it for a while and just have not found a solution yet.

I have a Cisco ASA5505 Setup at home and I try to use the AnyConnect VPN client to it. I followed the example of ASA 8.x split Tunnel but still miss me something.

My home network is 10.170.x.x and I install the VPN address to 10.170.13.x pool I have a Windows workstation running at 10.170.0.6, printers 10.170.0.20 and 21 and inside the router itself is 10.170.0.1

I can connect from the outside and am assigned an IP address of 10.170.13.10, but when I try to access network resources via ICMP or open a web page, the newspaper of the ASDM shows a bunch of this:

5. January 27, 2010 | 10: 33:37 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:36 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33: 35 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:34 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:30 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:29 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.255.255 | 137. Asymmetrical NAT rules matched for flows forward and backward; Connection for udp src outside:10.170.13.10/137 dst inside:10.170.255.255/137 refused due to path failure reverse that of NAT
5. January 27, 2010 | 10: 33:28 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:23 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:17 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10: 33: 13 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT
5. January 27, 2010 | 10:33:07 | 305013 | 10.170.0.6 | Asymmetrical NAT rules matched for flows forward and backward; Connection for icmp src, dst outside: 10.170.13.10 inside: 10.170.0.6 (type 8, code 0) rejected due to the failure of reverse path of NAT

I tried several things with NAT, but were not able to go beyond that. Does anyone mind looking at my config running and help me with this? Thanks a bunch!

-Tim

Couple to check points.

name 10.17.13.0 UFP-VPN-pool looks like it should be the name 10.170.13.0 UFP-VPN-pool

inside_nat0_outbound to access extended list ip allow list zero 255.255.0.0 255.255.255.0 UFP-VPN-pool

Looks like that one

inside_nat0_outbound to list extended ip access list zero UFP-VPN-pool 255.255.255.0 255.255.255.0 allow

Cisco ASA5505 logging

Similar Questions

Maybe you are looking for